Section: jAcl2 general concepts

−
Table of content

jAcl2 covers every feature about rights management or access control lists
(ACL). Access control lists are a way to manage application permissions in a
fine-grained, yet easily maintainable and manageable way. But what is a right?
A right in jAcl2 is defined with three elements.

A right or permission is always related to one or more users. The jAcl2 API
defines this notion transparently. Only the ACL "driver" is in charge of knowing
really the current user (through jauth of course). A driver could even manage
user groups to which it applies rights or permissions (as in jAcl2.db). But
don't bother about that.

In most cases, associating a subject and a user is enough. But a more fine-grained control is sometimes needed.

As for example, in a CMS, you want to give an author the right to modify its
articles but not the other ones. In that case, the right must be defined as a
combination of a subject, a user and an article id. See below:

In fact, jAcl2 core only contains links or relations between two/three element types.

Storing this relations between a user, a subject and optionally a resource
defines a right. Note that the non-existence of such a relation between some
elements does not mean no rights apply.

Imagine the list of rights below:

"cms.articles.read" for user "laurent"

"cms.articles.create" for user "laurent"

"cms.articles.update" for user "laurent"

Then, laurent will have the right to read, create and modify CMS articles
but NOT the right to delete ("cms.articles.delete") because there is no relation
of that subject with laurent.

A CMS admin module would ask jAcl2 about what a user can do. For example, it
could ask if the currently authenticated user has the right to
"cms.article.update". If the answer is yes, the module could display an edit
button. (of course, it should also check this right upon saving to prevent
"frauds" ;-) ).

This manual is distributed under the terms of licence Creative Commons by-nc-sa 3.0. Therefore you're allowed to copy, modify and distribute and transmit it publicly under the following conditions: Attribution, Noncommercial, Share Alike.